Skip to content

Commit

Permalink
docs: LDAP separate credentials file (#136)
Browse files Browse the repository at this point in the history 
* docs: LDAP separate credentials file

Signed-off-by: mbshields <[email protected]>

* docs: LDAP - comments

Signed-off-by: mbshields <[email protected]>

* docs: LDAP - added upgrade warning

Signed-off-by: mbshields <[email protected]>

---------

Signed-off-by: mbshields <[email protected]>
  • Loading branch information
@mbshields
mbshields authored Nov 21, 2023
1 parent 06c8aa4 commit 7c51a84
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 6 deletions.
29 changes: 23 additions & 6 deletions docs/articles/authn-authz.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ zot supports integration with an LDAP-based authentication service such as Micro
...
"auth": {
"ldap": {
"credentialsFile": "examples/config-ldap-credentials.json",
"address": "ldap.example.org",
"port": 389,
"startTLS": false,
Expand All @@ -131,22 +132,38 @@ zot supports integration with an LDAP-based authentication service such as Micro
}
```

The following table lists the configurable attributes for LDAP
authentication.
The following table lists the configurable attributes for LDAP authentication.

| Attribute | Description |
|-----------------|----------------------------------------------------------------------------------|
| `credentialsFile` | The path to a file containing the bind credentials for LDAP. |
| `address` | The IP address or hostname of the LDAP server. |
| `port` | The port number used by the LDAP service. |
| `startTLS` | Set to `true` to enable TLS communication with the LDAP server. |
| `baseDN` | Starting location within the LDAP directory for performing user searches. |
| `userAttribute` | Attribute name used to obtain the username. |
| `userGroupAttribute` | Attribute name used to obtain groups to which a user belongs. |
| `bindDN` | Base Distinguished Name for the LDAP search. |
| `bindPassword` | Password of the bind LDAP user. |
| `userAttribute` | Attribute name used to obtain the username. |
| `userGroupAttribute` | Attribute name used to obtain groups to which a user belongs. |
| `skipVerify` | Skip TLS verification. |
| `subtreeSearch` | Set to `true` to expand the scope for search to include subtrees of the base DN. |


To allow for separation of configuration and credentials, the credentials for the LDAP server are specified in a separate file, as shown in the following example.

``` json
{
"bindDN":"cn=ldap-searcher,ou=Users,dc=example,dc=org",
"bindPassword":"ldap-searcher-password"
}
```

The following table lists the configurable attributes of the LDAP credentials file.

| Attribute | Description |
|-----------------|----------------------------------------------------------------------------------|
| `bindDN` | Base Distinguished Name for the LDAP search. |
| `bindPassword` | Password of the bind LDAP user. |


### htpasswd

Enable and configure `htpasswd` authentication in the zot
Expand Down
6 changes: 6 additions & 0 deletions docs/general/whats-new.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,12 @@

- The validity of an image's signature can be [verified](../articles/verifying-signatures.md) by zot. Users can upload public keys or certificates to zot.

### LDAP credentials stored separately from configuration

- The LDAP credentials are removed from zot's LDAP configuration and stored in a separate file. See zot's [LDAP documentation](../articles/authn-authz.md).

:warning: This LDAP configuration change is incompatible with previous zot releases. When upgrading, you must reconfigure your LDAP credentials if you use LDAP.

### Storage deduplication on startup

- [Deduplication](../articles/storage.md), a storage space saving feature, now runs or reverts at startup depending on whether the feature is enabled or disabled. You can trigger deduplication by enabling it and then restarting zot.
Expand Down

0 comments on commit 7c51a84

Please sign in to comment.